What I have been up to: SRX performance is off the charts

Well I kind of hate just putting something about nothing, but just for updates sake. I have been stoopid busy lately. I just got through testing an srx3400 (which is the low-end midrange box, there are three other higher performing boxes) for performance using breaking point elite box. All I can say is wow, these product line is off the charts in terms of performance, mind boggling connections per second.  I have also been working on some new junoscripts to display in the cli a more concise summary of the policy hit counts much like you would see in IOS. I have also been working on a UAC/NAC proof of concept using juniper’s UAC, SA 2500, ex 4200, an SSG5 and an enterasys 2G4072-52.

Here is what i tested in SRX and some perf numbers (Junos 9.5)

Perf numbers:

Ran IMIX of tcp traffic, ramping up 150K new connections per second up to 1M concurrent sessions, 10Gbps throuhput for 10 mins. This was with full stateful firewall. This test was done using a breaking point elite with 2x10GE ports.

Also successfully ran 10Gbps udp at 1400bytes packets, 512 byte packets, no problem. 64 byte packets are a problem because there is a hard limit of 1M pps on each SPC.

Other SRX tests:

Jsrp – sessions are replicated, as of 9.5 only link detection for failover, 9.6 you can do track ip

NSM management – everything we wanted to see was there

Traffic logs – you can log session init, session close, idp deny, acl deny, however this must be sent out an IOC, not outa management port. this is because of the sheer volume of logs.

IDP – was able to block chat (Yahoo, gmail chat, aol IM)

Also working on some similar ns5k testing. I can post configs for any of this if anyone is interested.

Advertisements
Posted in Uncategorized. Tags: , . 6 Comments »

6 Responses to “What I have been up to: SRX performance is off the charts”

  1. T Bomb Says:

    Can you share some of the configs? Interested in the IDP stuff…..

  2. hacksjuniper Says:

    Sure. These perf numbers were with idp disabled. I will post them in the next day or so.

  3. hacksjuniper Says:

    Sorry took so long, here is the config used for idp blocking chat

    ## Last changed: 2009-07-29 17:27:13 UTC
    version 9.5R2.7;
    system {
    host-name SRX3400-59;
    root-authentication {
    encrypted-password “$1$j/2zv7or$16CLdI39tzxD9vn7jvLVt0”; ## SECRET-DATA
    }
    scripts {
    op {
    file check-interface-bw.slax;
    file check-sessions.slax;
    }
    }
    login {
    user lab {
    uid 2005;
    class superuser;
    authentication {
    encrypted-password “$1$kAfHsXF3$Bw/OgA.Nr9X/N6XnSMJKE0”; ## SECRET-DATA
    }
    }
    }
    services {
    ftp;
    ssh;
    telnet;
    netconf {
    ssh;
    }
    outbound-ssh {
    client nsm {
    device-id EBC103;
    secret “$9$UGiqf36A1RSTzRSreXxDik.Tzn/CuBI”; ## SECRET-DATA
    services netconf;
    X.X.45.12 port 7804;
    }
    }
    web-management {
    http {
    interface fxp0.0;
    }
    }
    }
    syslog {
    host 5.5.5.1 {
    any any;
    security any;
    firewall any;
    }
    file default-log-messages {
    any any;
    structured-data;
    }
    file opscripts.log {
    user alert;
    }
    }
    }
    interfaces {
    xe-1/0/0 {
    unit 0 {
    family inet {
    address 1.1.1.2/24;
    address 5.5.5.2/24;
    }
    }
    }
    xe-1/0/1 {
    unit 0 {
    family inet {
    address 2.2.2.2/24;
    address X.X.238.136/27;
    }
    }
    }
    fxp0 {
    unit 0 {
    family inet {
    address X.X.45.59/24 {
    master-only;
    }
    }
    }
    }
    lo0 {
    unit 0 {
    family inet {
    address 10.10.10.59/32;
    }
    }
    }
    }
    forwarding-options {
    sampling {
    input {
    family inet {
    rate 1;
    }
    }
    output {
    file filename test.log;
    }
    }
    }
    event-options {
    generate-event {
    check-sessions-timer time-interval 60;
    check-interface-bw time-interval 60;
    }
    policy check-sessions {
    events check-sessions-timer;
    then {
    event-script check-sessions;
    }
    }
    policy check-interface-bw {
    events check-interface-bw;
    then {
    event-script check-interface-bw.slax;
    }
    }
    }
    snmp {
    community public;
    }
    routing-options {
    static {
    route 172.0.0.0/8 {
    next-hop X.X.45.1;
    retain;
    }
    route 0.0.0.0/0 next-hop X.X.238.129;
    }
    }
    /* test */
    security {
    idp {
    idp-policy idp_im_cms {
    rulebase-ips {
    rule 1 {
    match {
    source-address any;
    destination-address any;
    application default;
    attacks {
    predefined-attack-groups CHAT;
    }
    }
    then {
    action {
    no-action;
    }
    notification {
    log-attacks {
    alert;
    }
    }
    }
    }
    }
    }
    active-policy idp_im_cms;
    }
    nat {
    source {
    pool sourcepool1 {
    address {
    X.X.238.136/32;
    }
    }
    rule-set ruleset1 {
    from zone trust;
    to zone untrust;
    rule rule1 {
    match {
    source-address 1.1.1.0/24;
    }
    then {
    source-nat pool sourcepool1;
    }
    }
    }
    }
    }
    log {
    format sd-syslog;
    source-address 5.5.5.2;
    stream test {
    severity info;
    host {
    5.5.5.1;
    port 514;
    }
    }
    }
    zones {
    functional-zone management {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    security-zone trust {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    xe-1/0/0.0;
    }
    }
    security-zone untrust {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    xe-1/0/1.0;
    }
    }
    }
    policies {
    from-zone trust to-zone untrust {
    policy 1 {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit {
    application-services {
    idp;
    }
    }
    log {
    session-init;
    session-close;
    }
    }
    }
    }
    from-zone untrust to-zone trust {
    policy 2 {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit {
    application-services {
    idp;
    }
    }
    log {
    session-init;
    session-close;
    }
    }
    }
    }
    default-policy {
    deny-all;
    }
    }
    }

  4. steve Says:

    Hi,

    Interesting information…where you able to test if the SRX 3400 was able to do stateful failover for the firewall connections ?

    Thanks
    Steve

    • hacksjuniper Says:

      Yes the srx can replicate stateful firewall sessions. However if alg are used, currently only tftp and ftp are supported, the alg state is NOT synced between boxes (As of 9.6)

  5. steve Says:

    Hi,

    Thanks for the feedback. I’m considering using the SRX 3400 in our Data Center but I have a lot of DNS, SMTP, CITRIX and HTTP traffic for which I need stateful failover. Does this mean that e.g. Citrix or SMTP will not be synchronized ?

    Thanks
    steve


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: